In a traditional electronic payment transaction, a consumer's PAN (primary account number) information is exposed to various entities involved during the transaction life-cycle. The PAN is passed from a merchant terminal, to an acquirer system, a payment processing network, payment gateways, etc.
Because the PAN can be exposed at various points in the transaction life-cycle, some have suggested that payment “tokens” be used to conduct payment transactions. A token serves as an additional security layer to the PAN and in effect becomes a proxy/surrogate to the PAN and may be used in place of PAN while submitting transactions. The use of payment tokens instead of PANs can reduce the risk of fraudulent activity since the real PAN is never exposed. It can also reduce or eliminate the need for merchants and other entities to be PCI DSS (Payment Card Industry Data Security Standard) compliant. PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data. To be PCI complaint companies must use a firewall between any wireless network and their consumer data environment, use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys, and use a network intrusion detection system.
Tokens can be of two types: payment tokens and non-payment tokens. Payment tokens can be used in lieu of PANs to generate and conduct original and subsequent payment transactions. Payment tokens can be sub categorized into static and dynamic tokens, both of which can be used to submit payment transactions once they are activated.
Static tokens can have longer life and can be used to submit multiple transactions. Dynamic tokens can be short lived tokens, and can be valid until the configured timeline. Once expired, they cannot be reused until reissued. In some cases, one dynamic token can be used to submit only one transaction.
Non-payment tokens can be used by merchant/acquirer systems for analytics, offers and any other purpose. Non-payment tokens cannot be used to submit a transaction. Non-payment tokens are often used by merchant and acquirer systems to keep track of transactions while avoiding the need to be PCI-DSS compliant.
While conventional efforts to use payment tokens have been useful, a number of additional problems need to be solved. For example, because the real PAN is not apparent from a corresponding token, it is difficult to identify the source of the token or the issuer of the token. On the one hand, the token is intended to hide information. On the other hand, it would be useful to identify from the payment token the origin or the issuer of the token. For example, it is difficult to route token based messages to the correct issuers since the routing information of a normal PAN is obfuscated.
Another problem to be solved is that various parties in the payment transaction processing system may need information about the token for various reasons. The various entities that need information about the token do not currently have a way to obtain such information. For example, because token are obfuscated PANs, it is not possible to run traditional fraud analyses on the tokens. Entities such as merchants may want to perform fraud analyses, but may not have a way to do so since they do not have the underlying account information to make the appropriate inquiries to either their own databases of information or others' databases of information.
Embodiments of the invention address these and other problems, individually and collectively.